mortenb123
(Morten Bjoernsvik)
February 4, 2025, 10:05am
1
Hi I have issues with my esql queries, something with the index
More than 10K entries
Then I press the Try ES|QL
:
None.
If I go back the index is empty:
I have to explicitly re-select it from the index pull-down.
The time-range is the same.
If I use the devtool I can reproduce it, can't see any hidden characters in the index?
mortenb123
(Morten Bjoernsvik)
February 4, 2025, 1:48pm
2
The issue is that we switched from logstash (@timestamp ) to fluentbit (time), and kibana esql detects @timestamp it is being used.
We have changed the dataview to use time. (but maybe esql part cant detect this like classic)
I can do it explicitly in elastic rest api, but do not seem to work in kibana:
python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep time | sort time DESC | limit 10'
20250204144002.583|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep time | sort time DESC | limit 10
time
2025-02-04T12:01:03.468Z
2025-02-04T12:00:35.637Z
2025-02-04T10:01:09.107Z
2025-02-04T10:00:39.450Z
2025-02-04T08:38:45.942Z
2025-02-04T08:38:02.054Z
2025-02-04T08:37:52.114Z
2025-02-04T08:37:51.827Z
2025-02-04T08:01:17.990Z
2025-02-04T08:00:40.759Z
python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep @timestamp | sort @timestamp DESC | limit 10'
20250204144418.645|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep @timestamp | sort @timestamp DESC | limit 10
20250204144418.736|ERROR|C:\dist\multitenant-fullstack-test\tools\esql.py:430|error or no data found
python .\tools\esql.py --q='FROM fido2.multi-tenant.events-test12.0* | keep time,@timestamp | sort @timestamp DESC | limit 10'
20250204144558.383|INFO|C:\dist\multitenant-fullstack-test\tools\esql.py:419|query: FROM fido2.multi-tenant.events-test12.0* | keep time,@timestamp | sort @timestamp DESC | limit 10
time
2025-01-31T22:20:53.706Z
2025-01-31T22:22:54.564Z
2025-01-31T22:19:32.621Z
2025-01-31T22:20:31.555Z
2025-01-31T22:19:17.146Z
2025-01-31T22:20:53.866Z
2025-01-31T22:19:25.054Z
2025-01-31T22:19:30.159Z
2025-01-31T22:20:31.246Z
2025-01-31T22:22:58.613Z
costin
(Costin Leau)
February 11, 2025, 2:30pm
3
Could you please post some screenshots with your kibana UI alongside the ES version used?
Thanks!
Hey, ES|QL doesnt work with dataviews, so changing the timefield there won't be depicted in the ES|QL mode.
Which kibana version are you running? At 8.16 if I am not mistaken we introduced the ?_tend
and ?_tstart
variables. If you use them as my example below then the timepicker will use the event.ingested
time field for filtering and not the @timestamp one
FROM custom-metrics-without-timestamp | WHERE event.ingested <=?_tend and event.ingested >?_tstart